Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Hugh Pickens writes "CNN reports that now that smartphones double as wallets and bank accounts — allowing users to manage their finances, transfer money, make payments, deposit checks and swipe their phones as credit cards — smartphones have become very lucrative scores for thieves and with 30% of phone subscribers owning iPhones, BlackBerrys and Droids, there are a lot of people at risk. Storing a password and keeping your phone locked is a good start, but it's not going to protect you from professional fraudsters. 'Don't think that having an initial password set on your phone can stop people from getting in there,' says
Nikki Junker, a victim advisor at the Identity Theft Resource Center. 'It's a very low level of protection — you can even find 30-second videos on how to crack smartphone passwords on YouTube.'"

Well, that's true. Any suitably light-fingered individual is well qualified to attempt to lift my phone out of my front pants pocket, provided that they don't mind taking the chance that I might smash their brains in.

But then I personally think it's incredibly stupid to put any kind of financial details on anything that is so easily and casually stolen. I don't even leave such information lying around (at least in a form that is worth the tr

What's "financial details"?If you have a phone that stores e-mail, and you've ever had your bank/paypal/credit card/amazon/etc send you a "I've forgotten my password" email.... then that info is fairly easy to access. Even finding out answers to your typical "security questions" would be fairly trivial.

I would be surprised if your average smartphone user has thought this through.

It comes down to how much you perceive the risk of using a tool. You know your shotgun can potentially do a whole lot of damage. That's its express purpose after all.
A car doesn't seem as dangerous, but even though it wasn't designed for that purpose it can do a lot of damage, and I wouldn't be surprised when the relevant statistics show that percentage wise, a lot more people get accidentally hurt by cars than by shotguns.
The same partly applies to blunt vs. sharp kitchen knives, with people getting cut

No, that's risk. The car is enormously dangerous whether you can see well or not. If you intend to use it to harm, having good eyesight makes it *more* dangerous. It is indeed the most dangerous thing most people own, with the possible exception of a gun (if they own one).

There are countries I can think of where firearms are likely more dangerous than vehicles, but the US is not one of them.

From 1999 to 2007, the total motorized vehicle death rate was 14.76 per 100,000. The firearm death rate during the same period was 10.33 per 100,000. That said, I'm not sure it matters much. Each side will frame the numbers in ways that support their bias, and will argue endlessly over which comparison is "more accurate." In the end, the only quantifiable "fact" is that one kills people m

Semantic quibble, which comes down to people's ability to asses risk. Guns vs swimming pools.The point is, the phone is a terrible choice for security related matters, because it wasn't specifically designed to be an e-wallet from the ground up.

Depends on the door.A wooden door, with an after market bolt, would only stop opportunistic threats.A door designed from the ground up to be secure, would have multiple locking bars which engage in all directions, into a metal frame which would also be part of the overall secure design.That would go some way to reduce the single point of failure which a single bolt represents.

If I stuck a deadbolt cylinder on a hollow core door used for internal rooms, someone could easily kick it in without a moment's thought.

If I stuck a cylinder on a European lock that had multipoint locking, a solid jamb that uses steel rails that are sunk into the foundation, it would require a hydraulic ram to open it.

Similar with phones. If I stuck a PIN on an open device, there would be ways to get around it. However, if the device was built from the ground up with encrypted filesystems, keys in a secure RAM partition, and anti-brute force code where PIN guessing resulted in longer delays, and eventually a complete zeroization of the device, the same PIN that might be worthless on one device may adequately protect another.

One can see this when comparing a TrueCrypt keyfile stored on a cryptographic token (or an IronKey) compared to one stored on a generic USB flash drive. After try #20 with the USB flash drive, it doesn't matter, especially if one just copies the cyphertext to another image to protect against self destruct software. The same data stored on a hardware device using hardware encryption will be long gone before attempt #20 could even be made.

A 4 digit PIN can be excellent protection, or it can be a joke depending on how the device is architected.

No. If you just bolted on a door to something built without other consideration of security, it's not going to do very well. In fact, a house *is* security--the door is your access point. A door as just "bolt-on" security would be a door sitting there without any walls.

The point is, the phone is a terrible choice for security related matters, because it wasn't specifically designed to be an e-wallet from the ground up.

You can never, ever just bolt-on security.

By this implied definition of e-wallet, a real wallet isn't really designed as a wallet from the ground up either. My wallet has essentially no security once it's out of my hands through theft or loss. But I do get the point, one might store even more valuable information in an e-wallet than just the cash and credit card numbers present in an r-wallet. Bank passwords, other account passwords could lead to considerably more damage than the $50 per credit card loss one might incur. Unless of course, you carry

With passcodes, setting the phone to wipe on a few failed tries? Almost everyone I know lacks a passcode on their mobile device - giving anyone the freedom to dig into their personal lives. I just don't think people realize what a risk it is at all.

I'd also like to know which devices can be cracked in 30 seconds. With iPhone 4's full device encryption, I don't see how the key can be cracked in under 10 tries before it would wipe itself. But, I'd like to know.

The risk appears to only be for Android phones, because the swipe-to-unlock leaves smudges that can be visually decoded to tell the thief the "password". I can't see how this security vulnerability affects iPhones with their tap-based passcode.

And yes, I have a passcode on my phone. It takes about a day for the annoyance factor to dissipate, and IMHO you're nuts not to have one.

The risk appears to only be for Android phones, because the swipe-to-unlock leaves smudges that can be visually decoded to tell the thief the "password". I can't see how this security vulnerability affects iPhones with their tap-based passcode.
And yes, I have a passcode on my phone. It takes about a day for the annoyance factor to dissipate, and IMHO you're nuts not to have one.
Simon

OK, I don't have an iPhone, so what is a tap-based passcode? Just typing digits on a 10-key style screen interface or something like that? I've got a smartphone,but not an iPhone, and have been reluctant to keep anything too valuable (or personal) on it for lack of password protection, and I've resisted using password protection because of how annoying I imagine it to be. Am I totally wrong about how big a hassle it is?

The iPhone unlock is a 4-digit PIN. I think you can use more digits, but 4 is enough, given that you only get 5 tries.

As I said, I found it annoying at first, but after a day or so, I don't really notice it. You don't need to unlock the phone to answer calls, so it's about 2 seconds to unlock then use the phone. Well worth it IMHO.

The thing is, you need to do it in one swipe - and you're going to do it pretty commonly. So there'll be a long continious smudge where you left it unlocked. It'll 'overwrite' previous smudges, and chances are you're not doing long swipes on other things. Unless you have swype or something.

err, the grass is greener on the other side buddy. Here you are saying you want to get an iphone and here I am saying I'm going to get an android (well, the dual core one when it comes out at least... assuming it doesn't have any gating issues)

TBH unless you need an ipod touch there isn't a lot of good reason to get an iphone at this stage. I have to turn my phone off and back on at work sometimes because of its inability to get any data throughput despite having a connection. Granted, the iphone 4 for veri

I'd also like to know which devices can be cracked in 30 seconds. With iPhone 4's full device encryption, I don't see how the key can be cracked in under 10 tries before it would wipe itself. But, I'd like to know.

Couldn't they just dump the memory of the device in its encrypted state and crack it at their leisure?

Actually no I do not use a smart phone for banking etc.. I cannot control the OS installed on the phone, I therefore cannot add bits (apps) knowing for sure that they work as intended, so I do not use the smart phone for banking, or surfing to sites that need log-ins. Log-in type of browsing I use my Linux desktop / laptop for.

Those that do use a smart phone for everything, they should treat the phone just like cash, where if you loose it, you could be well forked, and out of pocket in more ways than one.

The security on a smart phone isn't any worse (in many cases better, even) than that on most people's personal computers. The OS question is irrelevant, the big difference is that it's much easier to gain physical access. Just be vigilant and be have a plan ready to immediately block all access if you do lose your phone.

It is lose not loose. Why is it that so many people mix up these words?

In this case, it might well be accurate. If I loose [wiktionary.org] (let loose, free from restraints, or even release my grip on) my smartphone, just like if I did the same with my wallet, I might very well be "forked".

We need to be aware of the security risk of the instruments we use. That said more advance and abstract instruments are not necessarily more risky. For instance in a barter system we might use goods, but have the risk of those goods losing value due to decay or market forces. We might say a objective measure such as gold could be secured, but not against inflation. Gold has not kept up with inflation for most fo the past 35 years.

So maybe we have currency which can also be lost, stolen, and has no pro

(Took a little while to recover from that ridiculous commercial)
Seems like that device is made to accept credit card payments, not to pay people with credit cards. How does that make losing ones phone any worse than it already is?

Close to (still not quite reaching that number, IIRC) 30% of device sales are smartphones, not 30% of subscribers (and as to "Droids"...Samsung seems to be positioning themselves firmly on top; unless the term starts becoming a genericized (shortcut of) trademark)

It's generally true, but then some revolution or war or other instability comes along and shakes things up a bit. We've experienced too much stability to reinvigorate the new generation.

Also, school is fucking easy now. It's never been easier. The mass Western privatisation/unionisation (delete as inappropriate to your political prejudice) of education is unique to the last couple of decades. Contrast the 400 years of what counted as formal or informal higher education, or skip over the Dark Ages and contra

(also, can't really vouch for educational systems other than my local one... but according to one of my parents (accountant, so with some steady contact with basic math) - my generation apparently covered before highschool their Baccalaureate-level math; generally, schooling isn't even for that long very widespread in the first place / the average level of education is very much higher from the old times / we probably still get greater proportion o

What country? GCSE mathematics in the UK is a joke compared to O-level, and A-level has had the syllabus progressively reduced. More importantly, questions have turned from requiring ingenuity to being something the student will have already seen in the textbook (produced by the same publisher which happens to own the exam board).

As for the average level of education, it's true that more people can read, but learning specific technical skills is not the same as the exercise and application of imagination an

The difference between 50s and 90s in Poland. Note: apparently there was also some decline during the last decade, perhaps largely because of poorly executed educational reform (and...modeled on wrong examples; a bit in the spirit of post-colonial mentality: "they are prosperous, so all must be better").

Nothing too dramatic though, and I'm pretty certain it will continue to improve. Don't look at fluctuations; doesn't help that we are merely convinced of how good our memory is. Add variously colored glasses

"Children now love luxury; they have bad manners, contempt for authority; they show disrespect for elders and love chatter in place of exercise. Children are now tyrants, not the servants of their households. They no longer rise when elders enter the room. They contradict their parents, chatter before company, gobble up dainties at the table, cross their legs, and tyrannize their teachers."

The late '90s were a zenith of Western society, a fair balance of regulation and freedom; technology and tradition.

You've got to be kidding. This ranks right up there with Jody Foster defending Mel Gibson as "not such a bad guy to work with" while the Russell Williams story was breaking in Canada. He was a great guy in the office, too, but had defects in other life aspects.

You cleverly post this right after I finish reading a long treatise on the nutter-of-the-moment and his trigger words.

Your drunken post was very difficult to read. Are you countering by pointing out that some tech stock was overvalued? Maybe you're young/selfish enough that it's the sort of thing which you consider the height of importance, but perhaps you ought to concentrate on the freedoms and opportunities people enjoyed.

That's my strategy... works really well. I can transfer money online or via telebanking, but I just use that to pay bills. I use cash for everything, and my daily withdrawl limit with the plastic is $100. I cannot direct pay with my bank card... or rather, I can, but the daily limit is $0. I have a VISA card, but I restrict the use of that for recurring monthly payments (TV, Cell phone, Internet), and large purchases.

By forcing myself to use cash for everything, I force myself to have something tangible in

If you think you need to bank from your 'phone, you're doing life wrong.

Seriously agree. In fact, those commercials that show someone querying their credit card or bank balance to see if they can buy a huge flat-screen TV or, quite frankly, any mobile banking issue, illustrates something very wrong with that model and poor personal financial planning and management by those who would rely on such features.

Since I can check my bank balance every day on my phone, I have a much better grasp of my finances. Especially now that I have just bought a house and have additional mortgage payments, it has been a great help in keeping my finances in order. It might depend a lot on the sophistication of the app that your bank provides though, mine has a lot of nice advanced features.

I've got a fair few friends who ONLY have a smart phone, and this smart phone is their entire life line to the world.

At the risk of receiving another angry response from you, would you perhaps consider advising your friends that having a smartphone as your "entire life line to the world" is an unnecessary and fairly dangerous risk? If you're travelling around remote locations, you'd be well advised to carry multiple means of communication - particularly equipment which does not rely on terrestrial infrastructure. A satellite 'phone is an option, as are transceivers for the CB or amateur radio services.

they're continually moving around in rural Australia, that they can't get a good internet connection

If you store the most critical things in the cloud, specially things that you access thru your phone, is your password your most dangerous possession, mainly because stealing your phone is not a requirement for getting your data (if your password is unsafe or used from an unsafe location, i.e. with a keylogger). Of course, that have as advantage that if your phone gets stolen, and you are fast enough, you could change your cloud password and disable your phone number.

Only if the added utility is insufficient to outweigh the potential risk. Assuming your phone has a remote wipe feature, and the other security features on the phone buy you enough time to use it, then having your data in the cloud is useful because you haven't lost any data, only the physical phone.

Android users: use KeepassDroid for storing your passwords in a keepass database, and then randomize your important accounts.

Now all you need to remember is one good password. When you tap on an entry after decryption, keepassdroid puts a notification item up, that when activated, pastes the password in your clipboard for pasting into nearly any app or web page. It does smart things like clear the clipboard after a delay, etc.

You can combine it with Dropbox for unified password management on all platforms

I'm not dumb enough to place any form of important info into ANY device connected to a network. Privacy can not be maintained when so many people have access to the servers and software directly connected to your smart phone or computer. I remember when phones made phone calls...and that was it. No ring tones, no aps, just a basic fully functioning device use to communicate with others. Now people are shocked that the "smart" phone is considered a prize to thieves. It's a key to the bank you use and you kee

If the keys moved around randomly on the screen at the beginning of typing the password and after typing each character, the positions of smudges on the screen would not give any information about the password.
(Yes, this does have an obviously funny reply. Not sure how to upstage it from here. Go ahead and say it, then.)

they're mostly talking about gestures, not typing in a pin, at least from my reading of the article. now if there was a set of gestures, and the phone displayed a shape and wanted you to complete a randomly selected (or user-chosen) upon setup gesture, that would increase the complexity of the cracking process. so instead of My Password Gesture, there would be 4-5 shapes (noises? videos?) with a corresponding gesture. not infallible, but would take it to the next level.

There are a number of MMOs that use PIN security mechanisms identical to this to defeat keyloggers. No reason why touchscreen devices can't easily implement it. It's not difficult or annoying after the first couple uses.

That's a little harsh. Remote wipe is good enough. My corporate Blackberry can be wiped remotely. I think any smartphone should allow me to login to my account online and activate remote wipe to my device. Maybe they do already. I am sure many folks here have smartphones, does that exist on personal accounts?

Yes but remote wipe would take care of 99% of the dumb criminals. There is very little defence against the smart ones. TFA talks about posting to Facebook and using your device as a credit card which would imply connectivity.

The only weakness on a BB with full encryption enabled is a weak password. Note the flash memory would have to be moved to different hardware and the hardware keys extracted from the phone board, since the phone hardware checks firmware signature so you can't just load your cracking software on the phone hardware

I'd like to see more phones have the option to completely erase contents after "X" period of time with no network signal. This way, someone can't just pull a SIM card to keep access.

As for remote wipes, sometimes phones do provide non-corporate customers the way to do this. Apple does, (you used to need a.me.com account, but apparently with iOS 4.2.1, not anymore.) Motorola's Motoblur accounts also have this ability as well.

I do think having E-mail with an Exchange provider (that supports OWA) is a good

Blackberry is great except if you live in a country where the government has been granted access to your device or a country where the government has access but has not disclosed it... oh wait... I guess it isn't that secure after all.